Incident Response Enhancements using Streamlined UAV Mission Planning, Imaging, and Object Detection

Link, Eric Matthew

29 June 2023

Systems composed of simple, reliable tools are needed to facilitate adoption of Uncrewed Aerial Vehicles (UAVs) into incident response teams. Existing systems require operators to have highly skilled level of knowledge of UAV operations, including mission planning, low-level system operation, and data analysis. In this paper, a system is introduced to reduce required operator knowledge level via streamlined mission planning, in-flight object detection, and data presentation. For mission planning, two software programs are introduced that utilize geographic data to: (1) update existing missions to a constant above ground level altitude; and (2) auto-generate missions along waterways. To test system performance, a UAV platform based on the Tarot 960 was equipped with an Nvidia Jetson TX2 computing device and a FLIR GigE camera. For demonstration of on-board object detection, the You Only Look Once v8 model was trained on mock propane tanks. A Robot Operating System package was developed to manage communication between the flight controller, camera, and object detection model. Finally, software was developed to present collected data in easy to understand interactive maps containing both detected object locations and surveyed area imagery. Several flight demonstrations were conducted to validate both the performance and usability of the system. The mission planning programs accurately adjust altitude and generate missions along waterways. While in flight, the system demonstrated the capability to take images, perform object detection, and return estimated object locations with an average accuracy of 3.5 meters. The calculated object location data was successfully formatted into interactive maps, providing incident responders with a simple visualization of target locations and surrounding environment. Overall, the system presented meets the specified objectives by reducing the required operator skill level for successful deployment of UAVs into incident response scenarios. / Master of Science / Systems composed of simple, reliable tools are needed to facilitate adoption of Uncrewed Aerial Vehicles (UAVs) into incident response teams. Existing systems require operators to have a high level of knowledge of UAV operations. In this paper, a new system is introduced that reduces required operator knowledge via streamlined mission planning, in-flight object detection, and data presentation. Two mission planning computer programs are introduced that allow users to: (1) update existing missions to maintain constant above ground level altitude; and (2) to autonomously generate missions along waterways. For demonstration of in-flight object detection, a computer vision model was trained on mock propane tanks. Software for capturing images and running the computer vision model was written and deployed onto a UAV equipped with a computer and camera. For post-flight data analysis, software was written to create image mosaics of the surveyed area as well as to plot detected objects on maps. The mission planning software was shown to appropriately adjust altitude in existing missions and to generate new missions along waterways. Through several flight demonstrations, the system appropriately captured images and identified detected target locations with an average accuracy of 3.5 meters. Post-flight, the collected images were successfully combined into single-image mosaics with detected objects marked as points of interest. Overall, the system presented meets the specified objectives by reducing the required operator skill level for successful deployment of UAVs into incident response scenarios.

UAV

Incident Response

Object Detection

Aspects of Modeling Fraud Prevention of Online Financial Services

Dan, Gorton

January 2015

Banking and online financial services are part of our critical infrastructure. As such, they comprise an Achilles heel in society and need to be protected accordingly. The last ten years have seen a steady shift from traditional show-off hacking towards cybercrime with great economic consequences for society. The different threats against online services are getting worse, and risk management with respect to denial-of-service attacks, phishing, and banking Trojans is now part of the agenda of most financial institutions. This trend is overseen by responsible authorities who step up their minimum requirements for risk management of financial services and, among other things, require regular risk assessment of current and emerging threats.For the financial institution, this situation creates a need to understand all parts of the incident response process of the online services, including the technology, sub-processes, and the resources working with online fraud prevention. The effectiveness of each countermeasure has traditionally been measured for one technology at a time, for example, leaving the fraud prevention manager with separate values for the effectiveness of authentication, intrusion detection, and fraud prevention. In this thesis, we address two problems with this situation. Firstly, there is a need for a tool which is able to model current countermeasures in light of emerging threats. Secondly, the development process of fraud detection is hampered by the lack of accessible data.In the main part of this thesis, we highlight the importance of looking at the “big risk picture” of the incident response process, and not just focusing on one technology at a time. In the first article, we present a tool which makes it possible to measure the effectiveness of the incident response process. We call this an incident response tree (IRT). In the second article, we present additional scenarios relevant for risk management of online financial services using IRTs. Furthermore, we introduce a complementary model which is inspired by existing models used for measuring credit risks. This enables us to compare different online services, using two measures, which we call Expected Fraud and Conditional Fraud Value at Risk. Finally, in the third article, we create a simulation tool which enables us to use scenario-specific results together with models like return of security investment, to support decisions about future security investments.In the second part of the thesis, we develop a method for producing realistic-looking data for testing fraud detection. In the fourth article, we introduce multi-agent based simulations together with social network analysis to create data which can be used to fine-tune fraud prevention, and in the fifth article, we continue this effort by adding a platform for testing fraud detection. / Finansiella nättjänster är en del av vår kritiska infrastruktur. På så vis utgör de en akilleshäl i samhället och måste skyddas på erforderligt sätt. Under de senaste tio åren har det skett en förskjutning från traditionella dataintrång för att visa upp att man kan till en it-brottslighet med stora ekonomiska konsekvenser för samhället. De olika hoten mot nättjänster har blivit värre och riskhantering med avseende på överbelastningsattacker, nätfiske och banktrojaner är nu en del av dagordningen för finansiella institutioner. Denna trend övervakas av ansvariga myndigheter som efterhand ökar sina minimikrav för riskhantering och bland annat kräver regelbunden riskbedömning av befintliga och nya hot.För den finansiella institutionen skapar denna situation ett behov av att förstå alla delar av incidenthanteringsprocessen, inklusive dess teknik, delprocesser och de resurser som kan arbeta med bedrägeribekämpning. Traditionellt har varje motåtgärds effektivitet mätts, om möjligt, för en teknik i taget, vilket leder till att ansvariga för bedrägeribekämpning får separata värden för autentisering, intrångsdetektering och bedrägeridetektering.I denna avhandling har vi fokuserat på två problem med denna situation. För det första finns det ett behov av ett verktyg som kan modellera effektiviteten för institutionens samlade motåtgärder mot bakgrund av befintliga och nya hot. För det andra saknas det tillgång till data för forskning rörande bedrägeridetektering, vilket hämmar utvecklingen inom området.I huvuddelen av avhandlingen ligger tonvikten på att studera ”hela” incidenthanteringsprocessen istället för att fokusera på en teknik i taget. I den första artikeln presenterar vi ett verktyg som gör det möjligt att mäta effektiviteten i incidenthanteringsprocessen. Vi kallar detta verktyg för ”incident response tree” (IRT) eller ”incidenthanteringsträd”. I den andra artikeln presenterar vi ett flertal scenarier som är relevanta för riskhantering av finansiella nättjänster med hjälp av IRT. Vi utvecklar också en kompletterande modell som är inspirerad av befintliga modeller för att mäta kreditrisk. Med hjälp av scenarioberoende mått för ”förväntat bedrägeri” och ”value at risk”, har vi möjlighet att jämföra risker mellan olika nättjänster. Slutligen, i den tredje artikeln, skapar vi ett agentbaserat simuleringsverktyg som gör det möjligt att använda scenariospecifika resultat tillsammans med modeller som ”avkastning på säkerhetsinvesteringar” för att stödja beslut om framtida investeringar i motåtgärder.I den andra delen av avhandlingen utvecklar vi en metod för att generera syntetiskt data för test av bedrägeridetektering. I den fjärde artikeln presenterar vi ett agentbaserat simuleringsverktyg som med hjälp av bland annat ”sociala nätverksanalyser” kan användas för att generera syntetiskt data med realistiskt utseende. I den femte artikeln fortsätter vi detta arbete genom att lägga till en plattform för testning av bedrägeridetektering. / <p>QC 20151103</p>

Online banking

fraud

incident response

metrics

incident response tree (IRT)

value at risk (VaR)

simulation

Detecting Objective-C Malware through Memory Forensics

Case, Andrew

13 May 2016

Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors. In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling.

Memory Forensics

Objective-C

Malware Analysis

Incident Response

Information Security

Incident Response Planning for Selected Livestock Shows

Tomascik, Chelsea Roxanne

2011 December 1900

Incidents affecting the livestock industry are unavoidable in today's society. These incidents can happen at livestock shows across the country putting thousands of exhibitors, visitors, employees and livestock in danger. The purpose of this study was to determine local officials' perceptions and awareness of incident planning and response pertaining to selected livestock shows. Little research has been completed in this area; therefore, this foundational study was needed. The objectives of this study were to determine local officials' awareness of livestock shows and incident response plans for those livestock shows. In addition, the researcher wanted to describe the roles of local officials in incident planning and response at livestock shows. Level of communication and perceptions of challenges at livestock shows and among local officials were also evaluated. Lastly, the researcher wanted to describe local officials' recommendations for effective incident planning and response related to livestock shows. Five participants remarked on the value of this study and agreed to participate. These participants included livestock show officials involved in incident planning and response or local emergency management officials. Each participant was interviewed, and then data were transcribed and categorized to consensus. Nine themes arose including: background information, challenges, communication, example incidents, executing incident response, incident response planning, incident response training, miscellaneous and need for planning. It was concluded that all participants were aware of the selected livestock shows. However, levels of awareness varied by participant due to work-related experiences with the livestock show. The two livestock show participants were aware of specific incident response plans for the livestock show, while the three local emergency management officials were aware of city emergency management plans. Each participant remarked upon their roles in planning and executing incident response. In addition, communication was thought to be one of the key factors to successful incident planning and response. Challenges ranging from lack of communication to training for incident response were stated. Lastly, participants remarked on recommendations for others planning for incident response at livestock shows. These recommendations included communication, preplanning, building relationship with key stakeholders, training, and a need for more planning and research in this area. It is recommended that this study be replicated with scaled objectives for measuring awareness of livestock shows and incident response plans. Also, replicate this study to determine level of training in incident response and safe handling of livestock. It is recommended to describe communication between livestock shows and local emergency management officials. Lastly, it is recommended to replicate this study with regional livestock shows and state fairs.

Livestock Show

Incident Response

Incident Planning

Emergency Response

Livestock Shows

The study of incident response in Taiwan

Liaw, Bon-Yen

03 October 2002

Due to the enlargement of the use of Internet, computers are no longer separated systems. On the contrary, the frequency of sharing between computers¡¦ computing abilities, devices, and resources is surprisingly high in the last few decades. This situation makes people have a more convenient network situation. However, dangers also come along. Ever since the event occurred in 1988, the first computer worm (Morris Worm) makes people be aware of this issue. The computer network world has becoming an environment contains many potential dangers. Whereas the computer security incidents are increasing dramatically, many countries have established some specific organizations to solve these problems. TWCERT/CC (Taiwan Computer Emergency Response Team/ Coordination Center) is one of these organizations. The utilities of TWCERT/CC are to help people be aware of computer network dangers, to make responses and coordinate the security incidents inside and outside Taiwan, and to supervise the security circumstances in Taiwan and to announce alerts or take proper actions when the situation is serious. Responding and coordinating those incidents in TWCERT/CC is one crucial everyday job which requires a very complicated procedure. However, without a systematic method to handle the security incidents would be a heavy load for a computer security incident response team. This research is to develop a systematic method and procedure to handle incident and a system can implement this procedure. The goal is to shorten the processing time of incidents and enhance the accuracy of handling incidents, and to analyze the data collected from the system to get useful information.

computer security

security incidents

computer security incident response team

Internet

Supporting Support Engineers

Kutomi, Esdras

13 April 2020

The steady and uninterrupted availability of systems is essential for the mission of many companies and other organizations. This responsibility relies mostly upon support engineers, who are responsible to respond to incidents. Incident response is a unique type of task in software engineering, given it carries distinguishing characteristics like risks, pressure, incomplete information and urgency. Despite the importance of this task for many organizations, little can be found in the literature about the incident response task and model. To fill the gap, we created a theoretical foundation to foster research on incident response. We conducted an interview study, asking 12 support engineers about their experiences dealing with outages, service degradation, and other incidents that demanded an urgent response. We used our 22 collected cases to identify important concepts of incidents and their dimensions, and created an ontology of incidents and a model of the incident response. To validate the usefulness of our results, we analyzed our incidents based on our ontology and model, providing some insights related to detection of incidents, investigation and the hand over process. We also provide analytical insights related to the prevention of resource limitation incidents. Finally, we validate the usefulness of our research by proposing an improvement on monitoring tools used by support engineers.

software engineering

incident response

troubleshooting

investigation

Physical Sciences and Mathematics

Cybersecurity Capabilities in a Critical Infrastructure Sector of a Developing Nation

Catota Quintana, Frankie

01 December 2016

When information technology is incorporated into the operations of financial critical infrastructure, it brings with it a range of cyber risks, and mitigating them requires that firms and regulators develop capabilities to foster protection. The sophistication of cyber threats to the financial sector has been growing rapidly. Developed nations have worked hard to improve their knowledge of these threats and establish strategies to respond accordingly. However, in developing nations, both the understanding of the risks posed by cyber threats and the ability to address those risks have been slower to evolve. Developing the needed cybersecurity capabilities in developing countries encounter challenges that need to be identified and addressed. In order to begin to do that, this thesis reports on three studies conducted in the context of Ecuador. The first study identifies and assesses incident experiences, challenges, barriers, and desired actions reported by financial security managers with the objective of identifying strategies to enhance incident response capabilities. The second study begins with the security incidents reported by the Ecuadorian financial stakeholders during the first study and assesses the potential effectiveness of the government policy that is intended to address IT risk in the financial sector. The third study explores the challenges that universities face in order to provide cybersecurity instruction to protect critical infrastructure and explores potential strategies to advance cybersecurity education at the university level. In support of this work we collected data from national practitioners involved in responding to security incidents and in developing cybersecurity skills. Sixty-one in-depth, semi-structured interviews across five cities were conducted (95% in person, the rest by telephone) with respondents who had good knowledge in the subjects. Respondents come mainly from: the financial sector (CISOs, risk and IT managers, security chiefs, security officers, authorities); telecommunications sector, especially ISPs (managers, directors, engineers, authorities); and academia (deans, directors, professors). We transcribed all the interviews, coded them and conducted qualitative text analysis. This research finds that (1) the financial sector is already facing risks driven by outsiders and insiders that lead to fraud and operational errors and failures. The main barriers to improving protection are small team size, network visibility, inadequate internal coordination, technology updating, lack of training, and lack of awareness. The sector has little community support to respond to incidents, and the national legal framework has not supported appropriate prosecution of cyber criminals; (2) the national IT risk management policy has reasonably covered most countermeasures related to reported security incidents. There are however, several areas of gap, one of the most important is network security, which can enable sophisticated malware attacks; (3) today the level of cybersecurity education is mostly elementary in Ecuador. Academic interviewees at only four of the thirteen universities studied expressed confidence that they can provide students with reasonable preparation. Ecuador needs to design a national cybersecurity plan that prioritizes protection for critical infrastructure and should support strategies that allow the country to enhance cybersecurity capabilities. Properly designed these initiatives should allow the nation to develop a core structure to confront current and emergent cyber challenges in the financial sector and other critical national operations, and build the human resources necessary to continue that effort.

capacity building

cybersecurity capabilities

cybersecurity education

cybersecurity policy

developing nations

incident response

Critical-Incident Response: A Study of Training, Management, and Mitigation in North Carolina Sheriffs' Offices.

Minton, Gregory Alan

08 May 2010

The purpose of this study was to determine the amount of training each sheriff's office requires in North Carolina and if that training includes multiagency exercises designed to mitigate a critical-incident response and identify any concerns from those training events. The study also compared departmental strength (number of sworn officers per agency) with county populations and geographic area of the state the agency is located in with the number of hours required annually by each agency. Finally, each agency was asked if it had participated in a multiagency exercise and a multiagency incident and to identify any issues that occurred within that training or response. This research indicated that over half of the sheriffs' offices had completed mandated training beyond what North Carolina requires. Only slight differences between regions of the state (mountains, piedmont, or coastal plain) were detected as well as slight differences within the county populations. However, it was discovered that the size of a sheriff's office did have significance; larger sheriff's offices often required more training than smaller offices. Sheriff's offices that had experienced multiagency exercises and multiagency incidents were more likely to exceed the North Carolina minimum training requirements as well. Finally, respondents who had participated in either a multiagency exercise or a multiagency incident indicated common problems and concerns within those responses. The reoccurring problems and concerns were; communications, training, and organization or combinations of the three.

Law Enforcement

NIMS

ICS

Critical Incident Response

Law

Law Enforcement and Corrections

Incidenthantering i molnmiljö

Nilsson, Niklas, Lindell, John, Möller, Linus

January 2012

Incident response plans are faced with new challenges as organisations expands to the cloud, this thesis aims to highlight these challenges and their potential solutions. Our work has focused on managing the incident response in contrast to earlier work that has been focusing on preventing them.As with any development, security is seldom prioritized. Instead the focus are often aimed towards usability and functionality, which means incident response plans are written, implemented, forgotten and finally becomes obsolete. This could result in an organization losing their ability to produce acceptable forensic images, avoid severe downtime, or prevent similar incidents in the future, which are all important parts of incident response.Traditional incident response plans does not address incidents in the cloud. Thus, an absence of guidelines for managing incidents in the cloud becomes apparent. By compiling literature and performing practical experiments, this thesis exposes weaknesses in traditional incident response plans and demonstrates a need for cloud-specific incident response plans.Based on the conducted experiments, we can conclude that with our cloud-specific incident response plan as a basis, a forensic recovery from a cloud instance can be done in such a way that privacy and confidentiality is maintained. The experiments have also provided a forensically sound method for connecting tools to a cloud instance, we call this approach "Virtual Incident Response Disk" (VIRD). / Incidenthanteringsplaner ställs inför nya utmaningar vid en expandering till molnmiljö, detta arbete ämnar att belysa de problem som uppstår vid hantering av incidenter i molnmiljö samt potentiella lösningar. Incidenthantering i denna nya miljö har inte behandlats i någon större utsträckning i tidigare arbeten då forskningens fokus har legat på att förhindra incidenter istället för att hantera dessa.Som med all utveckling är det lätt att säkerhetsarbetet hamnar på efterkälken till förmån för användarvänlighet och funktion. Detta visar sig ofta inom incidenthantering där planer för incidenthantering skrivs och implementeras för att sedan glömmas bort och sedermera bli förlegade. Detta kan medföra att en organisation förlorar förmågan att producera forensiskt godtagbara avbilder vilket är en viktig del av incidenthantering.Då incidenthanteringsplaner ämnade för traditionell servermiljö inte behandlar hanteringen av incidenter i molnmiljö fungerar det inte att applicera dessa på ny teknik såsom molnmiljö. Genom att sammanställa litteratur och utföra praktiska experiment har vi i detta arbete exponerat svagheter i traditionell incidenthantering och påvisat behovet av en molnspecifik incidenthanteringsplan.Utifrån våra utförda experiment kan vi konstatera att med vår molnspecifika incidenthanteringsplan som grund kan en forensisk utvinning från en molninstans ske på så sätt att bevisets integritet och konfidentialitet bibehålls. Baserat på erfarenheter utifrån våra experiment har även en forensiskt godtagbar metod för att ansluta verktyg till en molninstans arbetats fram, vi kallar detta tillvägagångssätt “Virtual Incident Response Disk” (VIRD).

Cloud

Cloud forensic

forensic

IaaS

Incident response

VIRD

Moln

Forensik

IaaS

Incidenthantering

VIRD

Computer Engineering

Datorteknik

Návrh a implementace postupů pro automatizované řešení bezpečnostních incidentů / Proposal and implementation of procedures for automated response of security incidents

Hons, Kamil

January 2021

This diploma thesis deals with the development of proposals for procedures for dealing with security incidents, both from a theoretical and practical point of view. Three generic scenarios in the form of graphical diagrams, designed in Inkscape program, were created as a theoretical template for the automatic handling of security incidents. The first proposed scenario suggests a general procedure for dealing with an event in which an email attachment is marked as suspicious. The second scenario serves as a suggested procedure for handling an event, where an untrusted external IP address is suspected to be communicating with a local one. The third scenario then suggests an investigation procedure for events, where a suspicious file on a remote device needs to be investigated. Based on these created scenarios, a practical implementation of procedures for automized solving of security incidents was performed and documented in the Python programming language within the Splunk Phantom environment. As part of the documentation of the scenario implementation, two audiovisual demonstrations were created to illustrate the designed environment and the functionality of the implemented scenarios using programs such as OBS and Blender. The individual implementations are tested at the end of the thesis by running them automatically over events from a defined time range. The results are clearly analyzed in the form of tables to determine the success of these scenarios, which is based on checking how the analysis results differ from the original assumptions. Based on the analysis, the practical implementations of the scenarios have been modified to ensure that their output matches with the assumption. Thus, results are three proposed, tested and analyzed scenarios, which can further serve as a basis for specific implementations in a corporate information system. The actual implementation of the theoretical scenarios was carried out within a testing environment and the work includes a description of the communication and a setup of the environment. Finally, the results of the individual scenarios were described.